Spammers Hijack Email Marketer Accounts to Send Malicious Messages
Attackers are increasingly targeting email marketing firms and corporate email accounts to power their spam campaigns, Websense Security researchers reported.
Websense Security Labs has observed a rise in spam being sent from corporate Webmail accounts, wrote David Saunders, email threat research team manager at Websense Security. More and more webmail accounts belonging to email marketing organizations are being compromised to send spam with malicious links, Saunders said.
Many email marketing firms have an external-facing Web portal that allows customers to log in and manage their campaigns. These Web accounts generally require basic password authentication. Once compromised, spammers have access to the actual infrastructure to send out emails as well as a list of potential victims. The management portal is often integrated with CRM services, which exposes even more information to attackers.
"These marketing companies represent soft and potentially lucrative targets," Saunders wrote.
In most cases, employees are tricked into giving up account passwords through a phishing attack. Webmail accounts are also subjected to brute-force attacks to uncover accounts with weak passwords, according to Saunders. Marketing firms are targeted especially because their Web reputation makes it more likely that emails sent from these organizations would bypass spam filters.
The compromised companies that Websense analyzed in one spam campaign also included the customer's account name in the email address, which made it easy for attackers to discover.
"A simple password may be all that is stopping your organization from sending your entire customer base a malicious email," Saunders wrote.
After email marketing firm Epsilon was compromised earlier this year, security experts predicted that thieves might use the information to launch phishing and spam campaigns against the victims. The list of affected Epsilon customers included several financial organizations, major hotel chains and big retailers. Instead of sending out emails purporting to be from JPMorgan Chase, one of the banks affected by the breach, scammers could target an exact list of people who are unlikely to dismiss the email messages out of hand.
Websense analyzed an email sent from a compromised account at an email marketing company in Argentina. The account belonged to an international clothing retailer. The Websense team was able to verify that the email came from the marketing company's servers by checking the Sender Policy Framework records. An SPF is an email validation system designed to prevent spam by verifying sender IP addresses to confirm that the messages were sent by an authorized machine on the domain.
The message masqueraded as an order confirmation email, but all the links in the message pointed to an Internet domain with a name similar to the company's real site that had been registered on the day the messages were sent. If the recipient clicked on the links in the mail, they would go to the malicious domain, which would try to download a Zip file with a booby-trapped document onto the user's computer.
Websense ran the file through malware-tracking site VirusTotal and found that none of the major security vendors were able to detect the fake invoice file as of Sept. 20, when the emails were first sent. Within 48 hours, however, 24 of 44 major antivirus products were able to successfully detect and block it, according to VirusTotal.
A day after the first wave of spam messages went out, the attacker compromised another account at the marketing firm and registered a new domain spoofing that customer. Spammers switched to a different marketing provider in Australia and compromised a travel company's account. While they registered a new domain, they used legitimate links in the message and compromised the travel company's Website to redirect visitors to the fake site.
"The additional step was probably taken to avoid basic outbound email filtering by the marketing company," Saunders wrote.